SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    Are You There? KDesigns's Avatar
    Join Date
    Oct 2003
    Location
    Your Monitor
    Posts
    1,146
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Emailing a Forgotten Password

    Hey everybody,

    I've scripted a User Authentication system for a client and everything works great so far. He wants to add a "forgot password" feature that his visitors can use if they forget their password.

    I've got the MySQL database setup and a table for their email address.

    What I need to do is simply create a form that someone will put their email address into and submit it. When they submit the form, I need to query the database and shoot the email address entered a message that includes the password associated with that email.

    What's the easiest and quickest way to do this???

    Your help... as always ... is appreciated!!
    ChooseDaily.com - Follow on Twitter
    Top Resources for Web Designers and Developers Every Day!

  2. #2
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Given the fact that so many users use the same password for everything, it isn't wise to email the password so to speak, besides which it should be stored in the database as a MD5 hash or some equivalent.

    The method I use on my sites is to have a special field in the table that will store a temporary string. When someone asks for their password to be recovered a random key is generated and stuck into this spare field. Then an email is sent to them with the special key embedded into a URL in the message. By clicking on the URL the site will recognize them and allow them to reset their password to whatever they want.

    Whether you use a more secure method or simply pass a plain text password, you can simply use PHP's built in mail function. Of course the password/special key should only be emailed to the email account that is stored along with the user's profile in the database.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  3. #3
    ko pročita magarac :) boccio's Avatar
    Join Date
    Oct 2003
    Location
    belgrade
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by KDesigns
    What I need to do is simply create a form that someone will put their email address into and submit it. When they submit the form, I need to query the database and shoot the email address entered a message that includes the password associated with that email.
    I have to agree with KLB - it's better to use more secure method, hence to keep pwds in db encrypted...but if u want to stick to scenario you explained, make one change: dont ask for e-mail address in form! aks for user name, and send pwd to e-mail address associated to user name during registration...
    If u ask for e-mail address, and wrong one is entered, what happens? You display error msg? That way you politely inform attacker he entered wrong address and give him opportunity to try again...
    One more thing - when user requests pwd, temporarily 'flag' his account so he cannot ask for it over and over again...

    stay good
    Vivvo CMS - Web publishing at your fingertips
    Mile voli disko, a ja belo kolumbijsko

  4. #4
    Are You There? KDesigns's Avatar
    Join Date
    Oct 2003
    Location
    Your Monitor
    Posts
    1,146
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay...

    I do have the passwords stored in the database encrypted. This means I won't even be able to email them the password huh? How can I go about setting it up like you mentioned KLB??

    Thanks in advance!!!
    ChooseDaily.com - Follow on Twitter
    Top Resources for Web Designers and Developers Every Day!

  5. #5
    SitePoint Zealot
    Join Date
    Jul 2003
    Location
    Palo Alto
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by boccio
    One more thing - when user requests pwd, temporarily 'flag' his account so he cannot ask for it over and over again...
    This is a good idea, but be careful how you use it. The last thing you want to do is anger a valid user simply because she's having trouble remembering her password.

    Quote Originally Posted by KLB
    The method I use on my sites is to have a special field in the table that will store a temporary string. When someone asks for their password to be recovered a random key is generated and stuck into this spare field. Then an email is sent to them with the special key embedded into a URL in the message. By clicking on the URL the site will recognize them and allow them to reset their password to whatever they want.
    I definitely agree with this. Don't email the original password, and when a "forgot password" request is made, reset the original immediately and email the owner with a notification of the event and a means to (a) get back in to the system and set a new password, and (b) contact you if for some reason they can't get back in.

    Lastly, if you're not using SSL, none of this matters much.
    I think there is a world market for maybe five computers.
    - Thomas Watson, chairman of IBM, 1943.

  6. #6
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For security purposes, I can't devulge my source code, however, I can give you gist of how your code should work.

    1) User clicks on a "Forgot Password" link

    2) Browser asks for username

    3) Upon form submission of username, server side script will filter user table for the record matching submitted username.

    4) Create a random hash (here's an example):
    Code:
    	$resetstring= substr (crypt(microtime()),12);
    	$strSalt= substr (crypt($email),12,9);
    	$resetstring=substr (crypt($resetstring,$strSalt),0)."r";
    The goal is to create a really short URL to prevent line wrap problems in the email messsage, and the code above will create a reasonably short key.

    5) Write unique key to special password reset field of account in question

    6) Send email message to user with a url simular to this: http://mydomain.com/pr/<? echo $resetstring; ?>

    7) when user clicks on link the following .htaccess entry will redirect the user to the correct spot:
    RewriteRule ^pr/(.*) /recover.html?recover=$1

    8) On this page there will be a form that contains the recovery key as a hidden value and asks for a new password and to repeat new password.

    9) Upon submission of this form, the record containing this recovery key will be updated with the new password and the recovery key deleted. Eliminating recovery keys after the password has been reset, eliminates this back door and reduces the risk (however small) of there being duplicate recovery keys in the database.

    10) User logs in using new password.

    Expect the entire process to take you at least a couple hundred lines of code.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  7. #7
    Free your mind Toly's Avatar
    Join Date
    Sep 2001
    Location
    Panama
    Posts
    2,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by boccio
    If u ask for e-mail address, and wrong one is entered, what happens? You display error msg? That way you politely inform attacker he entered wrong address and give him opportunity to try again...
    In that case there should be two forms, one asking for the email and another one for the username. Sometimes a user might forget his/her username too.
    Community Guidelines | Community FAQ

    "He that is kind is free, though he is a slave;
    he that is evil is a slave, though he be a king." - St. Augustine

  8. #8
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My solution is to simply use their email address as their username. It does punish those with long email addresses, but it is one thing they typically won't forget. I don't feel it really lowers the security of an account as stuff will only be sent to that email address, which will make it hard to intercept the password resets.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  9. #9
    ko pročita magarac :) boccio's Avatar
    Join Date
    Oct 2003
    Location
    belgrade
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Toly
    In that case there should be two forms, one asking for the email and another one for the username. Sometimes a user might forget his/her username too.
    Well, you have the point there, but following that paradigm, one might forget it all! username, pwd, e-mail address...Our priority as coders is to make process of recovering forgotten passwords user-friendly, however only to the level which doesn't compromise security.
    I'd rather have some user pis**d off cuz he has to open new account or contact website stuff because he forgot both username and e-mail address, then to compromize passwords od 99% of registered users...



    @KLB: nicely done, indeed...just one q: why "masking" url of password retrival page with mod_rewrite? random number is long enough to prevent brute force, or maybe I miss somethind?
    Vivvo CMS - Web publishing at your fingertips
    Mile voli disko, a ja belo kolumbijsko


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •